ML Security PapersSEMA: Simple yet Effective Learning for Multi-Turn Jailbreak Attacks
Mingqian Feng 1, Xiaodong Liu 2, Weiwei Yang 2, Jialin Song 2, Xuekai Zhu 2, Chenliang Xu 1, Jianfeng Gao 2
Published on arXiv
2602.06854
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Achieves 80.1% ASR@1 averaged across three closed- and open-source victim models on AdvBench, outperforming the previous SOTA by 33.9%.
SEMA
Novel technique introduced
Multi-turn jailbreaks capture the real threat model for safety-aligned chatbots, where single-turn attacks are merely a special case. Yet existing approaches break under exploration complexity and intent drift. We propose SEMA, a simple yet effective framework that trains a multi-turn attacker without relying on any existing strategies or external data. SEMA comprises two stages. Prefilling self-tuning enables usable rollouts by fine-tuning on non-refusal, well-structured, multi-turn adversarial prompts that are self-generated with a minimal prefix, thereby stabilizing subsequent learning. Reinforcement learning with intent-drift-aware reward trains the attacker to elicit valid multi-turn adversarial prompts while maintaining the same harmful objective. We anchor harmful intent in multi-turn jailbreaks via an intent-drift-aware reward that combines intent alignment, compliance risk, and level of detail. Our open-loop attack regime avoids dependence on victim feedback, unifies single- and multi-turn settings, and reduces exploration complexity. Across multiple datasets, victim models, and jailbreak judges, our method achieves state-of-the-art (SOTA) attack success rates (ASR), outperforming all single-turn baselines, manually scripted and template-driven multi-turn baselines, as well as our SFT (Supervised Fine-Tuning) and DPO (Direct Preference Optimization) variants. For instance, SEMA performs an average $80.1\%$ ASR@1 across three closed-source and open-source victim models on AdvBench, 33.9% over SOTA. The approach is compact, reproducible, and transfers across targets, providing a stronger and more realistic stress test for large language model (LLM) safety and enabling automatic redteaming to expose and localize failure modes. Our code is available at: https://github.com/fmmarkmq/SEMA.
Key Contributions
- Prefilling self-tuning stage that stabilizes rollouts by fine-tuning on self-generated, non-refusal multi-turn adversarial prompts with minimal prefixes
- Intent-drift-aware reward combining intent alignment, compliance risk, and level of detail to anchor harmful objectives across multi-turn conversations
- Open-loop attack regime that unifies single- and multi-turn settings, avoids victim feedback dependence, and reduces exploration complexity